Panelists discuss need for cybersecurity tools, strategies

Moderator Joe Tomain of the Maurer School of Law introduced the four panelists on during the Media School’s Cybersecurity for journalists (and Everyone!) event. (Emma Knutson | The Media School)

What’s the best way to protect yourself and your sources from government monitoring? Don’t have possession of the information in the first place.

That was the main advice from panelists at Thursday evening’s discussion, Cybersecurity for Journalists (and Everyone!), at Franklin Hall. The Media School teamed up with experts from the IU Maurer School of Law, the IU Center of Applied Cybersecurity Research and IU’s Center for International Media Law and Policy Studies for the discussion and audience Q&A.

“The law has traditionally done the protecting of confidential sources,” said panelist and associate professor Anthony Fargo, who helped organize the event.

However, these laws don’t extend to protecting one’s phone and email records, which is how the government identifies confidential sources. In fact, the government usually doesn’t need to subpoena the journalist anymore, thanks to technology. The Obama administration prosecuted eight people for leaking information to journalists, and none of those cases required the notes or testimony of the journalists themselves.

Associate professor Anthony Fargo helped organize the event. It is the first to be funded by the new Barbara Restle Press Law Project. (Emma Knutson | The Media School)

Fargo suggested the use of burner phones, encrypted email or even “going old school” and meeting face to face each time you get information. Other panelists chimed in on this idea. Nate Cardozo, an attorney for the Electronic Frontier Foundation, spoke about what measures you may need to take depending on your personal situation. Susan Sons, a senior systems analyst at the IU Center for Applied Cybersecurity Research, covered the basic tech that is out there to protect your information from prying eyes. Marisa Kwiatkowski used her expertise as an investigative reporter for The Indianapolis Star to share the ways she protects herself and her sources.

Sons said, along with standard security methods, there are several tools out there that everyone can use to protect themselves. You can find all 17 of these methods, for people ranging from basic aptitude to expert, online.
Her biggest piece of advice, however, was to get Open Whisper, a software that encrypts text messages and phone calls.

“Open Whisper gives a tremendous amount of protection to the content of your messages and a little protection for who you are talking to,” she said.
Another suggestion on Sons’ list is to get a more protected email provider and get rid of your Gmail account. Email providers like Gmail, when faced with queries from law enforcement or the government, will not fight for your privacy and will likely not inform you if they hand over your information. That is why, Sons said, email is one of the best ways to monitor your activity.

Susan Sons serves as a senior systems analyst at Indiana University’s Center for Applied Cybersecurity Research. She discussed apps and programs to use so the government can’t tap in to your information, including her advice to never use Gmail, SMS and iMessage. (Emma Knutson | The Media School)

“Regular email is like a postcard; any system that touches it can read it,” Sons explained. “Encrypted email is like a letter in an envelope. They can see names and addresses but not the content.”

Cardozo said that, while this and Sons’ 16 other methods can be helpful, they are no match if the opposition is powerful and resourceful enough.

“Even if you use everything you possibly could, if your adversary is the NSA, they’re going to get you,” he conceded.

That is why, said Cardozo, “threat modeling” is an important part of being both a journalist and an informant. Every situation in which information is leaked is different, so in order to arm yourself with the best cybersecurity, you have to assess who you should be concerned about and what information you have that could be of interest.

The best way a media outlet could protect the identity of a source is to not know that identity in the first place, he said. This can be achieved through secure online drop boxes that keep the name of the informant a secret.

“This provides a platform to keep source’s ID safe from journalists, organizations, Internet providers, anyone,” he said. “The data doesn’t exist. No one knows what the ID is, and they have no way of finding out. The best way to protect the source is to not know the ID of the source in the first place.”

Marisa Kwiatkowski of The Indianapolis Star discussed rules for journalists to follow to ensure safety and disclosure of information they’re working on. (Emma Knutson | The Media School)

Kwiatkowski said The Indianapolis Star uses a safe drop box for any informants that come their way and implements several of the methods Fargo, Cardozo and Sons mentioned. However, as a reporter who generally focuses on the stories of victims of sex trafficking, elder abuse and child abuse, she doesn’t have to worry so much about her cybersecurity as much.

But, like all other journalists who need to keep informants confidential, Kwiatkowski’s main goal is to protect her sources. She does this is by ensuring that there is nothing to find should a hacker or government agency come looking.

“When we have a confidential source, you won’t find any of their information on any computer,” said Kwiatkowski. “And if it’s a particularly sensitive source, the information won’t even be on paper.”